Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 24 Aug 2020 18:13:43 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: Incompatible behaviour of res_query(3) w.r.t. NXDOMAIN

On Tue, Aug 25, 2020 at 12:04:44AM +0200, Florian Weimer wrote:
> * Rich Felker:
> 
> > On Mon, Aug 24, 2020 at 11:04:49PM +0200, Florian Weimer wrote:
> >> * Rich Felker:
> >> 
> >> > Hmm, I think in this case the "better" might be sufficient that we
> >> > want to keep it and pressure other implementations to change too. A
> >> > program performing a lookup where the result is NxDomain may very well
> >> > want to know whether that's an authenticated (by DNSSEC) NxDomain or
> >> > one in an insecure zone. Returning an error to the caller with no
> >> > packet contents discards this critical data.
> >> 
> >> Isn't this the behavior you'd get with res_send?
> >> 
> >> I think such error translation is precisely the point of the res_query
> >> convenience function (along with the implicit construction of the
> >> query packet).
> >
> > Does such a distinction exist?
> 
> Yes, I think so.  It's the behavior of the BIND 4 era stub resolver
> code.

OK. The man pages (and glibc docs? not sure) don't seem to document
this, so we should probably try to get them fixed too. The closest I
can find is the text that:

    "In the case of an error return from res_nquery(), res_query(),
    res_nsearch(), res_search(), res_nquerydomain(), or
    res_querydomain(), the global variable h_errno (see
    gethostbyname(3)) can be consulted to determine the cause of the
    error."

which could be interpreted as saying the same errors are specified to
happen (does this mean NODATA shoudl also be an error rather than a
success return?), but it doesn't make clear that nxdomain and noerror
are not errors for res_send etc.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.